SSO for Microsoft Entra enables your WordPress site to authenticate users through Microsoft Entra ID (formerly Azure Active Directory). Users can sign in with their existing Microsoft 365 / work accounts — no separate WordPress password required.
Key features:
- OpenID Connect (OIDC) with PKCE — the most secure OAuth 2.0 flow, no client secret exposure.
- Automatic user provisioning — create WordPress accounts on first SSO login.
- Encrypted client-secret storage using WordPress secret keys.
- Configurable rate limiting on SSO login attempts.
- Optional auto-redirect from the WordPress login page directly to Entra.
- Contextual Help tabs with setup guides built into the settings page.
- Vietnamese translation included. Community translations via translate.wordpress.org.
- No jQuery dependency.
External Services
This plugin communicates with Microsoft Entra ID (Azure AD) endpoints to perform OpenID Connect authentication.
What data is sent and when:
- When a user clicks “Sign in with Microsoft”, their browser is redirected to the Microsoft authorization endpoint. No user data is sent by the plugin at this stage — Microsoft handles the login form.
- After the user authenticates, the plugin exchanges an authorization code for tokens by sending the code, client ID, client secret, and PKCE verifier to the Microsoft token endpoint. This happens server-to-server.
- The plugin fetches the OIDC discovery document and JSON Web Key Set (JWKS) to validate token signatures. These are public endpoints and no user data is sent.
Endpoints contacted:
- Authorization:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize - Token exchange:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token - OIDC discovery:
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration - JWKS (token signing keys): URL from discovery document, typically
https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys - Logout:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logout
All endpoints are owned and operated by Microsoft Corporation. The {tenant} value is the Directory (tenant) ID configured by the site administrator.
No data is sent to any other third-party services. Authentication tokens are validated locally using public signing keys and are never stored beyond the active session.
Support
- Bug reports and feature requests: GitHub Issues
- Documentation: Click the Help button on the plugin settings page, or see the GitHub README.
- Security vulnerabilities: Please report privately via GitHub Security Advisories.
Upgrade Notices
2.6.0
No manual action required. Legacy microsoft_entra_sso_* options are migrated automatically to sfme_* on the next admin page load.
2.2.0
SAML 2.0 support has been removed. If you were using SAML, switch to OpenID Connect: create an Azure App Registration, set the redirect URI to https://yoursite.com/sso/callback, and enter your Tenant ID, Client ID, and Client Secret.
2.0.2
Client Secret field is now hidden for SAML setups and no longer triggers a missing-field warning.
2.0.1
Fix WordPress 6.9 compatibility header and Plugin Check compliance.
2.0.0
Breaking: Plugin renamed and all internal prefixes changed. Settings auto-migrate on activation — just deactivate and reactivate. Requires PHP 8.1+.
1.1.0
Breaking: Update Azure redirect URI to https://yoursite.com/sso/callback. Re-enter client secret (encryption changed). Flush permalinks.
1.0.0
Initial release.